Burp Suite User Forum

Login to post

Burp 2.0 extension-only audit

Omar | Last updated: May 19, 2019 07:56PM UTC

I have a local page that I use to test for LFI attacks, when I used to run active scan against this page in Burp 1.7.37, I get the attack detected by different extensions, e.g. J2EEScan. I tried to scan the same page in Burp 2.20beta with the extension-only audit. However, I got no results and by checking the logs I don't see any of the extension packets, only maybe Active Scan++ but no J2EEScan nor Scan Check Builder packets. I used the jar file for Burp2.20beta. Would you have an idea why such an issue took place and if there is a way to get extension-only audit to work with the above mentioned extensions?

Rose, PortSwigger Agent | Last updated: May 20, 2019 08:26AM UTC

When you select the extension via Extender > Extensions, do you see anything in the Errors tab?

Burp User | Last updated: May 20, 2019 08:41AM UTC

No, there are no errors. I reinstalled the extension again, yet no scans are carried out by the extension. i.e. J2EEScan

PortSwigger Agent | Last updated: May 20, 2019 02:31PM UTC

Omar - I just checked with Burp 2.0.20 on MacOS and J2EEScan was correctly generating requests in an extension only audit. I was able to view the requests in Logger++ Are you on a different platform? Are you able to see J2EEScan requests in Logger++ ?

Burp User | Last updated: May 21, 2019 02:27PM UTC

I am testing in a Kali VM, I use the flow extension to check for the traffic, I searched for the J2EEScan payload in version Burp 2.0.20beta and I didn't find it there. Another point, I see that as per the dashboard I got 16 exceptions of connection reset, while in the stable version I got none. I know that the extension is loaded and is working properly as I can see some of the passive checks already in the target section, my problem is with the active scanning in the beta version.

Rose, PortSwigger Agent | Last updated: May 28, 2019 12:22PM UTC

Omar, sorry for the delay in getting back to you. Burp extensions are developed by third party developers. We'd recommend contacting the authors with this issue: - https://github.com/ilmila/J2EEScan

Burp User | Last updated: Sep 08, 2019 11:55AM UTC

Hello Omar, I'm the mantainer of J2EEScan, if you still have problems with the stable burp 2.x please let me know, using github. Regards, Enrico

Rose, PortSwigger Agent | Last updated: Sep 09, 2019 06:35AM UTC

Enrico, thanks for getting back to this customer, we really appreciate it.

You need to Log in to post a reply. Or register here, for free.